Researchers Douse Wildfire Ransomware with Decryption Tool

Written by

Intel Security and Kaspersky Lab have announced the release of a decryption tool to stifle the Wildfire ransomware that has beset users across Belgium and the Netherlands.

Wildfire primarily spreads through Dutch spam emails from transport companies, targeted at Dutch speakers, fooling them with a notice of a ‘missed’ delivery and steps for scheduling a new delivery by filling in a ‘special form’ attached to the message. This form is nothing more than an obfuscated dropper which infects the victim with ransomware, demanding the sum of 1.5 bitcoins to unlock their files.

The group behind the ransomware netted US$79,481 (£60,240, A$104,399) in the last month by infecting 5309 systems, Intel Security chief technology officer Raj Samani and advanced threat researcher Christiaan Beek found.

"The actors behind Wildfire have clearly put a lot of effort into making their spam mails look credible and very specific," they said.

What’s more, like other ransomware types such as CryptoWall, Wildfire does not encrypt victims from a certain set of countries; a strong indicator that an Eastern European group could be responsible, says Intel.

However, victims now have the means to unlock their data without having to part with their cash, with researchers making available an initial 1600 keys for Wildfire (with more to come) as part of the NoMoreRansom effort.

“With ransomware being the most devastating type of malware currently doing the rounds any decrease in its activity is a great thing,” said Mark James, security specialist at ESET.

“Always be very wary of email attachments and links from unknown sources," he added. "If you are unfortunate enough to be infected with ransomware and do not have a current backup to restore from then make sure you check around to see if public decryption keys are available."

What’s hot on Infosecurity Magazine?